High

Adobe has released critical security updates for Acrobat and Reader to address multiple vulnerabilities that could allow attackers to execute arbitrary code or bypass essential security protections. These issues were disclosed in security bulletin APSB25-119, published on December 9, 2025, and assigned a priority rating of 3. The root cause of the vulnerabilities lies in weaknesses within the PDF processing engine, which impacts both Windows and macOS versions of Acrobat and Reader. Adobe emphasizes that prompt updating is crucial to preventing exploitation.

The bulletin details four vulnerabilities, including two critical flaws CVE-2025-64785 (Untrusted Search Path, CWE-426) and CVE-2025-64899 (Out-of-Bounds Read, CWE-125) both of which enable arbitrary code execution and carry a CVSS score of high. Additionally, two moderate-severity issues CVE-2025-64786 and CVE-2025-64787, both tied to Improper Verification of Cryptographic Signatures (CWE-347) could allow security feature bypass, each with a CVSS score high. While Adobe notes no active exploitation, the potential impact of code execution makes these vulnerabilities a significant threat.

A wide range of products across multiple versions are affected, including Acrobat DC, Acrobat Reader DC, Acrobat 2024, Acrobat 2020, and Acrobat Reader 2020. Impacted builds include 25.001.20982 and earlier for Acrobat and Reader DC, and several classic track versions across both Windows and macOS platforms (e.g., Acrobat 2024 Win ≤ 24.001.30264, Mac ≤ 24.001.30273). Adobe has released updated versions such as Acrobat/Reader DC 25.001.20997, Acrobat 2024 24.001.30307 (Windows), 24.001.30308 (macOS), and Acrobat 2020 20.005.30838 for both platforms.

Adobe strongly recommends updating immediately by using Help > Check for Updates, enabling automatic updates, or deploying patches through enterprise tools such as AIP-GPO, bootstrapper, or SCCM for Windows environments. While there are currently no known in-the-wild exploits, the combination of remote code execution potential and security bypass risks makes fast remediation essential. Organizations should ensure all affected systems receive these updates to prevent possible compromise.